Thanks to tip from a reader of this blog, it has come to my attention that the Ontario Science Center has apparently had a data breach according to this. What is weird about that statement is that it isn’t posted to the Ontario Science Center website. The reader in question got it in an email. Thus I suspect that the broader public doesn’t know as a quick browse of their website indicates that they haven’t posted anything in the public realm about this.
Anyway, here’s the key details:
On August 16, 2019, the Ontario Science Centre received notification from Campaigner that someone made a copy of the Science Centre’s subscriber emails and names without authorization. No other personal identification, financial information or passwords were accessed.
An investigation conducted by Campaigner revealed that the credentials of a former employee were used from July 23 to August 7 to access and download the information contained in the Science Centre’s client account. Upon learning of the breach, Campaigner immediately discontinued use of the credentials and implemented further measures to prevent a similar issue happening in the future. Campaigner also notified law enforcement and are assisting the authorities in finding the perpetrator.
So what that says right off the top is that the Ontario Science Center would have had no clue about this had Campaigner not pointed it out. That’s not how things should work kids. In any case, the statement has all the usual things that companies say when they’ve been pwned in some way. Including the fact that the Information and Privacy Commissioner of Ontario has been contacted.
Yes, I am becoming a bit jaded because this sort of thing happens way too often.
It will be interesting to see if the Ontario Science Center will make a public disclosure beyond what they have already done. I’m keeping an eye out to see what happens next.
UPDATE: CBC News is now reporting on this. I don’t see any other media reports thus far.